当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113429

漏洞标题:艺龙官方App存储型xss可打到管理员cookie/可shell内网

相关厂商:艺龙旅行网

漏洞作者: Mr.Q

提交时间:2015-05-11 15:20

修复时间:2015-06-26 09:16

公开时间:2015-06-26 09:16

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-11: 细节已通知厂商并且等待厂商处理中
2015-05-12: 厂商已经确认,细节仅向厂商公开
2015-05-22: 细节向核心白帽子及相关领域专家公开
2015-06-01: 细节向普通白帽子公开
2015-06-11: 细节向实习白帽子公开
2015-06-26: 细节向公众公开

简要描述:

艺龙官方App存储型xss可打到管理员cookie,可shell内网

详细说明:

问题出在艺龙App问题反馈处,可打到管理员cookie,可shell内网

IMG_1145.PNG


location : http://mobilems.corp.elong.com/feedback_showfeedback.html#?
toplocation : undefined
cookie : CookieGuid=fb4adf74-eb8f-45a8-84f7-7c7bfe3ae06b; s_eVar46=sogou123; member=15156888725%20%20; SHBrowseHotel=cn=42001194%2C%2C%2C%2C%2C%2C%3B31903063%2C%2C%2C%2C%2C%2C%3B01801685%2C%2C%2C%2C%2C%2C%3B51801079%2C%2C%2C%2C%2C%2C%3B90824113%2C%2C%2C%2C%2C%2C%3B&; SessionGuid=d5da9c48-20ae-4a32-be61-9440a2c5c177; com.eLong.CommonService.OrderFromCookieInfo=Pkid=50&Parentid=50000&Coefficient=0&Status=1&Priority=8000&Makecomefrom=0&Savecookies=0&Cookiesdays=0&Isusefparam=0&Orderfromtype=1&ExpiresTime=0001%2f01%2f01 00%3a00%3a00; SessionSub=LoginRefresh=0-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0; TLTCNT=CAB-MAPIAFF20000000000000053; TLTSID=0E72614547654885320F29BE9C04856B; polic_key=UWFXOQE4ATIFMgA3ATJSNwNnUWs%3d%7csid%7cd5da9c48-20ae-4a32-be61-9440a2c5c177%7ctid%7cUWJXMQExATAFKAAyATBSLwNmUWNUKldtBDcBOgBjUDFUb1YxADM%3d; TLTHID=0E1C758848B16C6F1AD7E68F9C6701E6
opener :


HTTP_REFERER : http://mobilems.corp.elong.com/feedback_showfeedback.html
HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0
REMOTE_ADDR : 112.132.228.197


打到管理员cookie

QQ20150511-1@2x.png


可进一步shell入内网,不继续深入,点到为止

2015-05-11 13:55:13 	
location : http://mobilems.corp.elong.com/feedback_showfeedback.html#?
toplocation : undefined
cookie : CookieGuid=fb4adf74-eb8f-45a8-84f7-7c7bfe3ae06b; s_eVar46=sogou123; member=15156888725%20%20; SHBrowseHotel=cn=42001194%2C%2C%2C%2C%2C%2C%3B31903063%2C%2C%2C%2C%2C%2C%3B01801685%2C%2C%2C%2C%2C%2C%3B51801079%2C%2C%2C%2C%2C%2C%3B90824113%2C%2C%2C%2C%2C%2C%3B&; SessionGuid=d5da9c48-20ae-4a32-be61-9440a2c5c177; com.eLong.CommonService.OrderFromCookieInfo=Pkid=50&Parentid=50000&Coefficient=0&Status=1&Priority=8000&Makecomefrom=0&Savecookies=0&Cookiesdays=0&Isusefparam=0&Orderfromtype=1&ExpiresTime=0001%2f01%2f01 00%3a00%3a00; SessionSub=LoginRefresh=0-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0; TLTCNT=CAB-MAPIAFF20000000000000053; TLTSID=0E72614547654885320F29BE9C04856B; polic_key=UWFXOQE4ATIFMgA3ATJSNwNnUWs%3d%7csid%7cd5da9c48-20ae-4a32-be61-9440a2c5c177%7ctid%7cUWJXMQExATAFKAAyATBSLwNmUWNUKldtBDcBOgBjUDFUb1YxADM%3d; TLTHID=0E1C758848B16C6F1AD7E68F9C6701E6
opener :

HTTP_REFERER : http://mobilems.corp.elo


QQ20150511-2@2x.png


漏洞证明:

已证明

修复方案:

赶快修复哦 给个小礼品吧 嘻嘻

版权声明:转载请注明来源 Mr.Q@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-05-12 09:15

厂商回复:

感谢白帽子提交漏洞,希望以后对我们工作多多支持!

最新状态:

暂无